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ABSTRACT 

On the evening of November 2, 1988, a self-replicating program was released upon the Internet 1 . This program (a 
worm ) invaded VAX and Sun-3 computers running versions of Berkeley Unix, and used their resources to attack still 
more computers 2 . Within the space of hours this program had spread across the U.S., infecting hundreds or thousands 
of computers and making many of them unusable due to the burden of its activity. This paper provides a chronology 
for the outbreak and presents a detailed description of the internals of the worm, based on a C version produced by 
decompiling. 

1. Introduction 

There is a fine line between helping administrators protect their systems and providing a cookbook for bad guys. 
[Grampp and Morris, “Unix Operating System Security”] 

November 3, 1988 is already coming to be known as Black Thursday. System administrators around the 
country came to work on that day and discovered that their networks of computers were laboring under a huge load. 
If they were able to log in and generate a system status listing, they saw what appeared to be dozens or hundreds of 
“shell” (command interpreter) processes. If they tried to kill the processes, they found that new processes appeared 
faster than they could kill them. Rebooting the computer seemed to have no effect — within minutes after starting up 
again, the machine was overloaded by these mysterious processes. 

These systems had been invaded by a worm. A worm is a program that propagates itself across a network, 
using resources on one machine to attack other machines. (A worm is not quite the same as a virus, which is a pro- 
gram fragment that inserts itself into other programs.) The worm had taken advantage of lapses in security on sys- 
tems that were running 4.2 or 4.3 BSD UNIX or derivatives like SunOS. These lapses allowed it to connect to 
machines across a network, bypass their login authentication, copy itself and then proceed to attack still more 
machines. The massive system load was generated by multitudes of worms trying to propagate the epidemic. 

The Internet had never been attacked in this way before, although there had been plenty of speculation that an 
attack was in store. Most system administrators were unfamiliar with the concept of worms (as opposed to viruses, 
which are a major affliction of the PC world) and it took some time before they were able to establish what was 
going on and how to deal with it. This paper is intended to let people know exactly what happened and how it came 
about, so that they will be better prepared when it happens the next time. The behavior of the worm will be exam- 
ined in detail, both to show exactly what it did and didn’t do, and to show the dangers of future worms. The epi- 
graph above is now ironic, for the author of the worm used information in that paper to attack systems. Since the 
information is now well known, by virtue of the fact that thousands of computers now have copies of the worm, it 
seems unlikely that this paper can do similar damage, but it is definitely a troubling thought. Opinions on this and 
other matters will be offered below. 


1 The Internet is a logical network made up of many physical networks, all running the IP class of network protocols. 

2 VAX and Sun-3 are models of computers built by Digital Equipment Corp. and Sun Microsystems Inc., respectively. Unix is a Re- 
gistered Bell of AT&T Trademark Laboratories. 
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finger attack works, describes how to defeat the SMTP attack by rebuilding sendmail, and explicitly 
mentions the rexec attack. Unfortunately Sudduth’s message is blocked at relay.cs.net while that gate- 
way is shut down to combat the worm, and it does not get delivered for almost two days. Sudduth 
acknowledges authorship of the message in a subsequent message to TCP-IP on Nov. 5. 

1 1/3: 0254 Keith Bostic sends a fix for sendmail to the newsgroup comp.bugs.4bsd.ucb-fixes and to the TCP-IP 
mailing list. These fixes (and later ones) are also mailed directly to important system administrators 
around the country. 

1 1/3: early morning 

The wtmp session log is mysteriously removed on prep.ai.mit.edu. 

1 1/3: 0507 Edward Wang at Berkeley figures out and reports the finger attack, but his message doesn’t come to 
Mike Karels’ attention for 12 hours. 

The annual Berkeley Unix Workshop commences at UC Berkeley. 40 or so important system 
administrators and hackers are in town to attend, while disaster erupts at home. Several people who 
had planned to fly in on Thursday morning are trapped by the crisis. Keith Bostic spends much of the 
day on the phone at the Computer Systems Research Group offices answering calls from panicked sys- 
tem administrators from around the country. 

(approx.) 

The team at MIT Athena calls Berkeley with an example of how the finger server bug works. 

Dave Pare arrives at Berkeley CSRG offices; disassembly and decompiling start shortly afterward 
using Pare’s special tools. 

(approx.) 

The Berkeley group sends out for calzones. People arrive and leave; the offices are crowded, there’s 
plenty of excitement. Parallel work is in progress at MIT Athena; the two groups swap code. 

Keith Bostic posts a fix for the finger server. 

Members of the Berkeley team, with the worm almost completely disassembled and largely decom- 
piled, finally take off for a couple hours’ sleep before returning to the workshop. 

Theodore Ts’o of Project Athena at MIT publicly announces that MIT and Berkeley have completely 
disassembled the worm. 

11/4: 1700 (approx.) 

A short presentation on the worm is made at the end of the Berkeley UNIX Workshop. 

1 1/8: National Computer Security Center meeting to discuss the worm. There are about 50 attendees. 

11/11: 0038 Fully decompiled and commented worm source is installed at Berkeley. 

3. Overview 

What exactly did the worm do that led it to cause an epidemic? The worm consists of a 99-line bootstrap pro- 
gram written in the C language, plus a large relocatable object file that comes in VAX and Sun-3 flavors. Internal 
evidence showed that the object file was generated from C sources, so it was natural to decompile the binary 
machine language into C; we now have over 3200 lines of commented C code which recompiles and is mostly com- 
plete. We shall start the tour of the worm with a quick overview of the basic goals of the worm, followed by discus- 
sion in depth of the worm’s various behaviors as revealed by decompilation. 

The activities of the worm break down into the categories of attack and defense. Attack consists of locating 
hosts (and accounts) to penetrate, then exploiting security holes on remote systems to pass across a copy of the 
worm and run it. The worm obtains host addresses by examining the system tables /etc/hosts. equiv and /.rhosts, 
user files like .forward and . rhosts , dynamic routing information produced by the netstat program, and finally ran- 
domly generated host addresses on local networks. It ranks these by order of preference, trying a file like 
/etc/hosts, equiv first because it contains names of local machines that are likely to permit unauthenticated connec- 
tions. Penetration of a remote system can be accomplished in any of three ways. The worm can take advantage of a 
bug in the finger server that allows it to download code in place of a finger request and trick the server into execut- 
ing it. The worm can use a “trap door” in the sendmail SMTP mail service, exercising a bug in the debugging code 
that allows it to execute a command interpreter and download code across a mail connection. If the worm can 
penetrate a local account by guessing its password, it can use the rexec and rsh remote command interpreter services 


11/3: 0900 

11/3: 1500 
11/3: 1626 
11/3: 1800 

11/3: 1918 
1 1/4: 0600 

1 1/4: 1236 
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its file descriptors, temporarily cutting itself off from its remote parent worm, and removes some files. (One of these 
files, /tmp/. dumb, is never created by the worm and the unlinking seems to be left over from an earlier stage of 
development.) The worm then zeroes out its argument list, again to foil the system status program ps. The next step 
is to initialize the worm’s list of network interfaces; these interfaces are used to find local networks and to check for 
alternate addresses of the current host. Finally, if cleaning up the worm resets its process group and kills the process 
that helped to bootstrap it. The worm’s last act in mainQ is to call a function we named doitQ, which contains the 
main loop of the worm. 

doitQ runs a short prologue before actually starting the main loop. It (redundantly) seeds the random number 
generator with the current time, saving the time so that it can tell how long it has been running. The worm then 
attempts its first infection. It initially attacks gateways that it found with the netstat network status program; if it 
can’t infect one of these hosts, then it checks random host numbers on local networks, then it tries random host 
numbers on networks that are on the far side of gateways, in each case stopping if it succeeds. (Note that this 
sequence of attacks differs from the sequence the worm uses after it has entered the main loop.) 

After this initial attempt at infection, the worm calls the routine checkotherQ to check for another worm 
already on the local machine. In this check the worm acts as a client to an existing worm which acts as a server; 
they may exchange “population control” messages, after which one of the two worms will eventually shut down. 

One odd routine is called just before entering the main loop. We named this routine send_messageQ, but it 
really doesn’t send anything at all. It looks like it was intended to cause 1 in 15 copies of the worm to send a 1-byte 
datagram to a port on the host ernie.berkeley.edu, which is located in the Computer Science Department at UC 
Berkeley. It has been suggested that this was a feint, designed to draw attention to ernie and away from the author’s 


doit() { 

seed the random number generator with the time 

attack hosts: gateways, local nets, remote nets 

checkother(); 

send_message(); 

for (;;) { 

cracksome(); 
other_sleep(30); 
cracksome(); 
change our process ID 
attack hosts: gateways, known hosts, 
remote nets, local nets 
other_sleep( 1 20) ; 
if 12 hours have passed, 
reset hosts table 
if (pleasequit && nextw >10) 
exit(0); 

} 

} 


“C” pseudo-code for the doitQ function 
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port 23357. The connection attempt returns immediately if no server is present, but blocks if one is available and 
busy; a server worm periodically runs its server code during time-consuming operations so that the queue of connec- 
tions does not grow large. After the client exchanges magic numbers with the server as a trivial form of authentica- 
tion, the client and the server roll dice to see who gets to survive. If the exclusive-or of the respective low bits of 
the client’s and the server’s random numbers is 1, the server wins, otherwise the client wins. The loser sets a flag 
pleasequit that eventually allows it to exit at the bottom of the main loop. If at any time a problem occurs — a read 
from the server fails, or the wrong magic number is returned — the client worm returns from the function, becoming 
a worm that never acts as a server and hence does not engage in population control. Perhaps as a precaution against 
a cataleptic server, a test at the top of the function causes 1 in 7 worms to skip population control. Thus the worm 
finishes the population game in checkotherQ in one of three states: scheduled to die after some time, with pleasequit 
set; running as a server, with the possibility of losing the game later; and immortal, safe from the gamble of popula- 
tion control. 

A complementary routine other_sleepQ executes the server function. It is passed a time in seconds, and it 
uses the Berkeley selectQ system call to wait for that amount of time accepting connections from clients. On entry 
to the function, it tests to see whether it has a communications port with which to accept connections; if not, it sim- 
ply sleeps for the specified amount of time and returns. Otherwise it loops on selectQ, decrementing its time 
remaining after serving a client until no more time is left and the function returns. When the server acquires a 
client, it performs the inverse of the client’s protocol, eventually deciding whether to proceed or to quit. 
other_sleepQ is called from many different places in the code, so that clients are not kept waiting too long. 

Given the worm’s elaborate scheme for controlling re-infection, what led it to reproduce so quickly on an 
individual machine that it could swamp it? One culprit is the 1 in 7 test in checkotherQ : worms that skip the client 
phase become immortal, and thus don’t risk being eliminated by a roll of the dice. Another source of system load- 
ing is the problem that when a worm decides it has lost, it can still do a lot of work before it actually exits. The 
client routine isn’t even run until the newly born worm has attempted to infect at least one remote host, and even if a 
worm loses the roll, it continues executing to the bottom of the main loop, and even then it won’t exit unless it has 
gone through the main loop several times, limited by its progress in cracking passwords. Finally, new worms lose 
all of the history of infection that their parents had, so the children of a worm are constantly trying to re-infect the 
parent’s host, as well as the children’s hosts. Put all of these factors together and it comes as no surprise that 
within an hour or two after infection, a machine may be entirely devoted to executing worms. 

4.4. Locating new hosts to infect 

One of the characteristics of the worm is that all of its attacks are active, never passive. A consequence of 
this is that the worm can’t wait for a user to take it over to another machine like gum on a shoe — it must search out 
hosts on its own. 

The worm has a very distinct list of priorities when hunting for hosts. Its favorite hosts are gateways; the hgQ 
routine tries to infect each of the hosts it believes to be gateways. Only when all of the gateways are known to be 
infected or infection-proof does the worm go on to other hosts. hgQ calls the rt_initQ function to get a list of gate- 
ways; this list is derived by running the netstat network status program and parsing its output. The worm is careful 
to skip the loopback device and any local interfaces (in the event that the current host is a gateway); when it 
finishes, it randomizes the order of the list and adds the first 20 gateways to the host table to speed up the initial 
searches. It then tries each gateway in sequence until it finds a host that can be infected, or it runs out of hosts. 

After taking care of gateways, the worm’s next priority is hosts whose names were found in a scan of system 
files. At the start of password cracking, the files /etc/hosts. equiv (which contains names of hosts to which the local 
host grants user permissions without authentication) and / rhosts (which contains names of hosts from which the 
local host permits remote privileged logins) are examined, as are all users’ .forward files (which list hosts to which 
mail is forwarded from the current host). These hosts are flagged so that they can be scanned earlier than the rest. 
The hiQ function is then responsible for attacking these hosts. 

When the most profitable hosts have been used up, the worm starts looking for hosts that aren’t recorded in 
files. The routine hlQ checks local networks: it runs through the local host’s addresses, masking off the host part 
and substituting a random value. haQ does the same job for remote hosts, checking alternate addresses of gateways. 
Special code handles the ARPAnet practice of putting the IMP number in the low host bits and the actual IMP port 
(representing the host) in the high host bits. The function that runs these random probes, which we named 
hack_netofQ, seems to have a bug that prevents it from attacking hosts on local networks; this may be due to our 
own misunderstanding, of course, but in any case the check of hosts from system files should be sufficient to cover 
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all or nearly all of the local hosts anyway. 

Password cracking is another generator of host names, but since this is handled separately from the usual host 
attack scheme presented here, it will be discussed below with the other material on passwords. 

4.5. Security holes 

The first fact to face is that Unix was not developed with security, in any realistic sense, in mind... [Dennis Ritchie, 

“On the Security of Unix”] 

This section discusses the TCP services used by the worm to penetrate systems. It’s a touch unfair to use the 
quote above when the implementation of the services we’re about to discuss was distributed by Berkeley rather than 
Bell Labs, but the sentiment is appropriate. For a long time the balance between security and convenience on Unix 
systems has been tilted in favor of convenience. As Brian Reid has said about the break-in at Stanford two years 
ago: ‘ ‘Programmer convenience is the antithesis of security, because it is going to become intruder convenience if 
the programmer’s account is ever compromised.” The lesson from that experience seems to have been forgotten by 
most people, but not by the author of the worm. 

4.5.1. Rsh and rexec 

These notes describe how the design of TCP/IP and the 4.2BSD implementation allow users on untrusted and possibly 
very distant hosts to masquerade as users on trusted hosts. [Robert T. Morris, “A Weakness in the 4.2BSD Unix 
TCP/IP Software”] 

Rsh and rexec are network services which offer remote command interpreters. Rexec uses password authenti- 
cation; rsh relies on a “privileged” originating port and permissions files. Two vulnerabilities are exploited by the 
worm — the likelihood that a remote machine that has an account for a local user will have the same password as the 
local account, allowing penetration through rexec , and the likelihood that such a remote account will include the 
local host in its rsh permissions files. Both of these vulnerabilities are really problems with laxness or convenience 
for users and system administrators rather than actual bugs, but they represent avenues for infection just like inad- 
vertent security bugs. 

The first use of rsh by the worm is fairly simple: it looks for a remote account with the same name as the one 
that is (unsuspectingly) running the worm on the local machine. This test is part of the standard menu of hacks con- 
ducted for each host; if it fails, the worm falls back upon finger, then sendmail. Many sites, including Utah, already 
were protected from this trivial attack by not providing remote shells for pseudo-users like daemon or nobody. 

A more sophisticated use of these services is found in the password cracking routines. After a password is 
successfully guessed, the worm immediately tries to penetrate remote hosts associated with the broken account. It 
reads the user’s .forward file (which contains an address to which mail is forwarded) and .rhosts file (which contains 
a list of hosts and optionally user names on those hosts which are granted permission to access the local machine 
with rsh bypassing the usual password authentication), trying these hostnames until it succeeds. Each target host is 
attacked in two ways. The worm first contacts the remote host’s rexec server and sends it the account name found 
in the forward or .rhosts files followed by the guessed password. If this fails, the worm connects to the local rexec 
server with the local account name and uses that to contact the target’s rsh server. The remote rsh server will permit 
the connection provided the name of the local host appears in either the /etc/hosts. equiv file or the user’s private 
.rhosts file. 

Strengthening these network services is far more problematic than fixing/mger and sendmail, unfortunately. 
Users don’t like the inconvenience of typing their password when logging in on a trusted local host, and they don’t 
want to remember different passwords for each of the many hosts they may have to deal with. Some of the solu- 
tions may be worse than the disease — for example, a user who is forced to deal with many passwords is more likely 
to write them down somewhere. 

4.5.2. Finger 

gets was removed from our [C library] a couple days ago. [Bill Cheswick at AT&T Bell Labs Research, private com- 
munication, 11/9/88] 

Probably the neatest hack in the worm is its co-opting of the TCP finger service to gain entry to a system. 
Finger reports information about a user on a host, usually including things like the user’s full name, where their 
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office is, the number of their phone extension and so on. The Berkeley 3 version of the finger server is a really trivial 
program: it reads a request from the originating host, then runs the local finger program with the request as an argu- 
ment and ships the output back. Unfortunately the finger server reads the remote request with getsQ, a standard C 
library routine that dates from the dawn of time and which does not check for overflow of the server’s 512 byte 
request buffer on the stack. The worm supplies the finger server with a request that is 536 bytes long; the bulk of 
the request is some VAX machine code that asks the system to execute the command interpreter sh, and the extra 24 
bytes represent just enough data to write over the server’s stack frame for the main routine. When the main routine 
of the server exits, the calling function’s program counter is supposed to be restored from the stack, but the worm 
wrote over this program counter with one that points to the VAX code in the request buffer. The program jumps to 
the worm’s code and runs the command interpreter, which the worm uses to enter its bootstrap. 

Not surprisingly, shortly after the worm was reported to use this feature of getsQ, a number of people replaced 
all instances of getsQ in system code with sensible code that checks the length of the buffer. Some even went so far 
as to remove getsQ from the library, although the function is apparently mandated by the forthcoming ANSI C stan- 
dard 4 . So far no one has claimed to have exercised the finger server bug before the worm incident, but in May 1988, 
students at UC Santa Cruz apparently penetrated security using a different finger server with a similar bug. The sys- 
tem administrator at UCSC noticed that the Berkeley finger server had a similar bug and sent mail to Berkeley, but 
the seriousness of the problem was not appreciated at the time (Jim Haynes, private communication). 

One final note: the worm is meticulous in some areas but not in others. From what we can tell, there was no 
Sun-3 version of the finger intrusion even though the Sun-3 server was just as vulnerable as the VAX one. Perhaps 
the author had VAX sources available but not Sun sources? 

4.5.3. Sendmail 

[T]he trap door resulted from two distinct ‘features’ that, although innocent by themselves, were deadly when com- 
bined (kind of like binary nerve gas). [Eric Allman, personal communication, 1 1/22/88] 

The sendmail attack is perhaps the least preferred in the worm’s arsenal, but in spite of that one site at Utah 
was subjected to nearly 150 sendmail attacks on Black Thursday. Sendmail is the program that provides the SMTP 
mail service on TCP networks for Berkeley UNIX systems. It uses a simple character-oriented protocol to accept 
mail from remote sites. One feature of sendmail is that it permits mail to be delivered to processes instead of mail- 
box files; this can be used with (say) the vacation program to notify senders that you are out of town and are tem- 
porarily unable to respond to their mail. Normally this feature is only available to recipients. Unfortunately a little 
loophole was accidentally created when a couple of earlier security bugs were being fixed — if sendmail is compiled 
with the DEBUG flag, and the sender at runtime asks that sendmail enter debug mode by sending the debug com- 
mand, it permits senders to pass in a command sequence instead of a user name for a recipient. Alas, most versions 
of sendmail are compiled with DEBUG , including the one that Sun sends out in its binary distribution. The worm 
mimics a remote SMTP connection, feeding in / dev/null as the name of the sender and a carefully crafted string as 
the recipient. The string sets up a command that deletes the header of the message and passes the body to a com- 
mand interpreter. The body contains a copy of the worm bootstrap source plus commands to compile and run it. 
After the worm finishes the protocol and closes the connection to sendmail, the bootstrap will be built on the remote 
host and the local worm waits for its connection so that it can complete the process of building a new worm. 

Of course this is not the first time that an inadvertent loophole or “trap door” like this has been found in 
sendmail, and it may not be the last. In his Turing Award lecture, Ken Thompson said: “You can’t trust code that 
you did not totally create yourself. (Especially code from companies that employ people like me.)” In fact, as Eric 
Allman says, “[Y]ou can’t even trust code that you did totally create yourself.” The basic problem of trusting sys- 
tem programs is not one that is easy to solve. 

4.6. Infection 

The worm uses two favorite routines when it decides that it wants to infect a host. One routine that we named 
infectQ is used from host scanning routines like hgQ. infectQ first checks that it isn’t infecting the local machine, an 
already infected machine or a machine previously attacked but not successfully infected; the ‘ ‘infected’ ’ and 


3 Actually, like much of the code in the Berkeley distribution, th e finger server was contributed from elsewhere; in this case, it appears that 
MIT was the source. 

4 See for example Appendix B, section 1 .4 of the second edition of The C Programming Language by Kemighan and Ritchie. 
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“immune” states are marked by flags on a host structure when attacks succeed or fail, respectively. The worm then 
makes sure that it can get an address for the target host, marking the host immune if it can’t. Then comes a series of 
attacks: first by rsh from the account that the worm is running under, then through finger, then through sendmail. If 
infectQ fails, it marks the host as immune. 

The other infection routine is named hulQ and it is run from the password cracking code after a password has 
been guessed. hulQ, like infectQ, makes sure that it’s not re-infecting a host, then it checks for an address. If a 
potential remote user name is available from a .forward, or .rhosts file, the worm checks it to make sure it is 
reasonable — it must contain no punctuation or control characters. If a remote user name is unavailable the worm 
uses the local user name. Once the worm has a user name and a password, it contacts the rexec server on the target 
host and tries to authenticate itself. If it can, it proceeds to the bootstrap phase; otherwise, it tries a slightly different 
approach — it connects to the local rexec server with the local user name and password, then uses this command 
interpreter to fire off a command interpreter on the target machine with rsh. This will succeed if the remote host 
says it trusts the local host in its /etc/hosts.equiv file, or the remote account says it trusts the local account in its 
.rhosts file. hulQ ignores infectQ' s “immune” flag and does not set this flag itself, since hulQ may find success on 
a per-account basis that infectQ can’t achieve on a per-host basis. 

Both infectQ and hulQ use a routine we call sendwormQ to do their dirty work 5 . sendwormQ looks for the 
11. c bootstrap source file in its objects list, then it uses the makemagicQ routine to get a communication stream end- 
point (a socket), a random network port number to rendezvous at, and a magic number for authentication. (There is 
an interesting side effect to makemagicQ — it looks for a usable address for the target host by trying to connect to its 
TCP telnet port; this produces a characteristic log message from the telnet server.) If makemagicQ was successful, 
the worm begins to send commands to the remote command interpreter that was started up by the immediately 
preceding attack. It changes its directory to an unprotected place ( Vusr/tmp ), then it sends across the bootstrap 
source, using the Unix stream editor sed to parse the input stream. The bootstrap source is compiled and run on the 
remote system, and the worm runs a routine named waithitQ to wait for the remote bootstrap to call back on the 
selected port. 

The bootstrap is quite simple. It is supplied the address of the originating host, a TCP port number and a 
magic number as arguments. When it starts, it unlinks itself so that it can’t be detected in the filesystem, then it calls 
forkQ to create a new process with the same image. The old process exits, permitting the originating worm to con- 
tinue with its business. The bootstrap reads its arguments then zeroes them out to hide them from the system status 
program; then it is ready to connect over the network to the parent worm. When the connection is made, the 
bootstrap sends over the magic number, which the parent will check against its own copy. If the parent accepts the 
number (which is carefully rendered to be independent of host byte order), it will send over a series of filenames and 
files which the bootstrap writes to disk. If trouble occurs, the bootstrap removes all these files and exits. Eventually 
the transaction completes, and the bootstrap calls up a command interpreter to finish the job. 

In the meantime, the parent in waithitQ spends up to two minutes waiting for the bootstrap to call back; if the 
bootstrap fails to call back, or the authentication fails, the worm decides to give up and reports a failure. When a 
connection is successful, the worm ships all of its files across followed by an end-of-file indicator. It pauses four 
seconds to let a command interpreter start on the remote side, then it issues commands to create a new worm. For 
each relocatable object file in the list of files, the worm tries to build an executable object; typically each file con- 
tains code for a particular make of computer, and the builds will fail until the worm tries the proper computer type. 

If the parent worm finally gets an executable child worm built, it sets it loose with the — p option to kill the command 
interpreter, then shuts down the connection. The target host is marked “infected”. If none of the objects produces 
a usable child worm, the parent removes the detritus and waithitQ returns an error indication. 

When a system is being swamped by worms, the /usr/tmp directory can fill with leftover files as a conse- 
quence of a bug in waithitQ. If a worm compile takes more than 30 seconds, resynchronization code will report an 
error but waithitQ will fail to remove the files it has created. On one of our machines, 13 MB of material represent- 
ing 86 sets of files accumulated over 5.5 hours. 


5 One minor exception: the sendmail attack doesn’t use sendwormQ since it needs to handle the SMTP protocol in addition to the command 
interpreter interface, but the principle is the same. 
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4.7. Password cracking 

A password cracking algorithm seems like a slow and bulky item to put in a worm, but the worm makes this 
work by being persistent and efficient. The worm is aided by some unfortunate statistics about typical password 
choices. Here we discuss how the worm goes about choosing passwords to test and how the UNIX password encryp- 
tion routine was modified. 

4.7.1. Guessing passwords 

For example, if the login name is “abc”, then “abc”, “cba”, and “abcabc” are excellent candidates for passwords. 

[Grampp and Morris, “Unix Operating System Security”] 

The worm’s password guessing is driven by a little 4-state machine. The first state gathers password data, 
while the remaining states represent increasingly less likely sources of potential passwords. The central cracking 
routine is called cracksomeQ , and it contains a switch on each of the four states. 

The routine that implements the first state we named crack_0Q. This routine’s job is to collect information 
about hosts and accounts. It is only run once; the information it gathers persists for the lifetime of the worm. Its 
implementation is straightforward: it reads the files /etc/hosts, equiv and /.rhosts for hosts to attack, then reads the 
password file looking for accounts. For each account, the worm saves the name, the encrypted password, the home 
directory and the user information fields. As a quick preliminary check, it looks for a .forward, file in each user’s 
home directory and saves any host name it finds in that file, marking it like the previous ones. 

We unimaginatively called the function for the next state crack_lQ. crack_lQ looks for trivially broken pass- 
words. These are passwords which can be guessed merely n the basis of information already contained in the pass- 
word file. Grampp and Morris report a survey of over 100 password files where between 8 and 30 percent of all 
passwords were guessed using just the literal account name and a couple of variations. The worm tries a little 
harder than this: it checks the null password, the account name, the account name concatenated with itself, the first 
name (extracted from the user information field, with the first letter mapped to lower case), the last name, and the 
account name reversed. It runs through up to 50 accounts per call to cracksomeQ, saving its place in the list of 
accounts and advancing to the next state when it runs out of accounts to try. 

The next state is handled by crack_2Q. In this state the worm compares a list of favorite passwords, one pass- 
word per call, with all of the encrypted passwords in the password file. The list contains 432 words, most of which 
are real English words or proper names; it seems likely that this list was generated by stealing password files and 
cracking them at leisure on the worm author’s home machine. A global variable nextw is used to count the number 
of passwords tried, and it is this count (plus a loss in the population control game) that controls whether the worm 
exits at the end of the main loop — nextw must be greater than 10 before the worm can exit. Since the worm nor- 
mally spends 2.5 minutes checking for clients over the course of the main loop and calls cracksomeQ twice in that 
period, it appears that the worm must make a minimum of 7 passes through the main loop, taking more than 15 
minutes 6 . It will take at least 9 hours for the worm to scan its built-in password list and proceed to the next state. 

The last state is handled by crack_3Q. It opens the Unix online dictionary /usr/dict/words and goes through it 
one word at a time. If a word is capitalized, the worm tries a lower-case version as well. This search can essentially 
go on forever: it would take something like four weeks for the worm to finish a typical dictionary like ours. 

When the worm selects a potential password, it passes it to a routine we called try jpasswordQ. This function 
calls the worm’s special version of the Unix password encryption function cryptQ and compares the result with the 
target account’s actual encrypted password. If they are equal, or if the password and guess are the null string (no 
password), the worm saves the cleartext password and proceeds to attack hosts that are connected to this account. A 
routine we called try_forward_and_rhostsQ reads the user’s forward and .rhosts files, calling the previously 
described hulQ function for each remote account it finds. 


6 For those mindful of details: The first call to cracksomeQ is consumed reading system files. The worm must spend at least one call to 
cracksomeQ in the second state attacking trivial passwords. This accounts for at least one pass through the main loop. In the third state, crack- 
someQ tests one password from its list of favorites on each call; the worm will exit if it lost a roll of the dice and more than ten words have been 
checked, so this accounts for at least six loops, two words on each loop for five loops to reach 1 0 words, then another loop to pass that number. 
Altogether this amounts to a minimum of 7 loops. If all 7 loops took the maximum amount of time waiting for clients, this would require a 
minimum of 17.5 minutes, but the 2-minute check can exit early if a client connects and the server loses the challenge, hence 15.5 minutes of 
waiting time plus runtime overhead is the minimum lifetime. In this period a worm will attack at least 8 hosts through the host infection routines, 
and will try about 18 passwords for each account, attacking more hosts if accounts are cracked. 
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4.7.2. Faster password encryption 

The use of encrypted passwords appears reasonably secure in the absence of serious attention of experts in the field. 
[Morris and Thompson, “Password Security: A Case History”] 

Unfortunately some experts in the field have been giving serious attention to fast implementations of the Unix 
password encryption algorithm. Unix password authentication works without putting any readable version of the 
password onto the system, and indeed works without protecting the encrypted password against reading by users on 
the system. When a user types a password in the clear, the system encrypts it using the standard cryptQ library rou- 
tine, then compares it against a saved copy of the encrypted password. The encryption algorithm is meant to be 
basically impossible to invert, preventing the retrieval of passwords by examining only the encrypted text, and it is 
meant to be expensive to run, so that testing guesses will take a long time. The Unix password encryption algorithm 
is based on the Federal Data Encryption Standard (DES). Currently no one knows how to invert this algorithm in a 
reasonable amount of time, and while fast DES encoding chips are available, the Unix version of the algorithm is 
slightly perturbed so that it is impossible to use a standard DES chip to implement it. 

Two problems have been mitigating against the Unix implementation of DES. Computers are continually 
increasing in speed — current machines are typically several times faster than the machines that were available when 
the current password scheme was invented. At the same time, ways have been discovered to make software DES 
run faster. Unix passwords are now far more susceptible to persistent guessing, particularly if the encrypted pass- 
words are already known. The worm’s version of the Unix cryptQ routine ran more than 9 times faster than the 
standard version when we tested it on our VAX 8600. While the standard cryptQ takes 54 seconds to encrypt 271 
passwords on our 8600 (the number of passwords actually contained in our password file), the worm’s cryptQ takes 
less than 6 seconds. 

The worm’s cryptQ algorithm appears to be a compromise between time and space: the time needed to 
encrypt one password guess versus the substantial extra table space needed to squeeze performance out of the algo- 
rithm. Curiously, one performance improvement actually saves a little space. The traditional Unix algorithm stores 
each bit of the password in a byte, while the worm’s algorithm packs the bits into two 32-bit words. This permits 
the worm’s algorithm to use bit-field and shift operations on the password data, which is immensely faster. Other 
speedups include unrolling loops, combining tables, precomputing shifts and masks, and eliminating redundant ini- 
tial and final permutations when performing the 25 applications of modified DES that the password encryption algo- 
rithm uses. The biggest performance improvement comes as a result of combining permutations: the worm uses 
expanded arrays which are indexed by groups of bits rather than the single bits used by the standard algorithm. Matt 
Bishop’s fast version of cryptQ does all of these things and also precomputes even more functions, yielding twice 
the performance of the worm’s algorithm but requiring nearly 200 KB of initialized data as opposed to the 6 KB 
used by the worm and the less than 2 KB used by the normal cryptQ. 

How can system administrators defend against fast implementations of cryptQ ? One suggestion that has been 
introduced for foiling the bad guys is the idea of shadow password files. In this scheme, the encrypted passwords 
are hidden rather than public, forcing a cracker to either break a privileged account or use the host’s CPU and (slow) 
encryption algorithm to attack, with the added danger that password test requests could be logged and password 
cracking discovered. The disadvantage of shadow password files is that if the bad guys somehow get around the 
protections for the file that contains the actual passwords, all of the passwords must be considered cracked and will 
need to be replaced. Another suggestion has been to replace the Unix DES implementation with the fastest avail- 
able implementation, but run it 1000 times or more instead of the 25 times used in the Unix cryptQ code. Unless the 
repeat count is somehow pegged to the fastest available CPU speed, this approach merely postpones the day of 
reckoning until the cracker finds a faster machine. It’s interesting to note that Morris and Thompson measured the 
time to compute the old M-209 (non-DES) password encryption algorithm used in early versions of Unix on the 
PDP-11/70 and found that a good implementation took only 1.25 milliseconds per encryption, which they deemed 
insufficient; currently the VAX 8600 using Matt Bishop’s DES-based algorithm needs 11.5 milliseconds per encryp- 
tion, and machines 10 times faster than the VAX 8600 at a cheaper price will be available soon (if they aren’t 
already!). 

5. Opinions 

The act of breaking into a computer system has to have the same social stigma as breaking into a neighbor’s house. It 
should not matter that the neighbor’s door is unlocked. [Ken Thompson, 1983 Turing Award Lecture] 

[Creators of viruses are] stealing a car for the purpose of joyriding. [R H Morris, in 1983 Capitol Hill testimony, cited 
in the New York Times 1 1/1 1/88] 
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:areless 


I don’t propose to offer definitive statements on the morality of the worm’s author, the ethics of publishing 
security information or the security needs of the UNIX computing community, since people better (and less) 
qualified than I are still copiously flaming on these topics in the various network newsgroups and mailing lists. For 
the sake of the mythical ordinary system administrator who might have been confused by all the information and 
misinformation, I will try to answer a few of the most relevant questions in a narrow but useful way. 

Did the worm cause damage? The worm did not destroy files, intercept private mail, reveal passwords, cor- 
rupt databases or plant trojan horses. It did compete for CPU time with, and eventually overwhelm, ordinary user 
processes. It used up limited system resources such as the open file table and the process text table, causing user 
processes to fail for lack of same. It caused some machines to crash by operating them close to the limits of their 
capacity, exercising bugs that do not appear under normal loads. It forced administrators to perform one or more 
reboots to clear worms from the system, terminating user sessions and long-running jobs. It forced administrators to 
shut down network gateways, including gateways between important nation-wide research networks, in an effort to 
isolate the worm; this led to delays of up to several days in the exchange of electronic mail, causing some projects to 
miss deadlines and others to lose valuable research time. It made systems staff across the country drop their ongo- 
ing hacks and work 24-hour days trying to corner and kill worms. It caused members of management in at least one 
institution to become so frightened that they scrubbed all the disks at their facility that were online at the time of the 
infection, and limited reloading of files to data that was verifiably unmodified by a foreign agent. It caused 
bandwidth through gateways that were still running after the infection started to become substantially degraded — 
the gateways were using much of their capacity just shipping the worm from one network to another. It penetrated 
user accounts and caused it to appear that a given user was disturbing a system when in fact they were not responsi- 
ble. It’s true that the worm could have been far more harmful that it actually turned out to be: in the last few weeks, 
several security bugs have come to light which the worm could have used to thoroughly destroy a system. Perhaps 
we should be grateful that we escaped incredibly awful consequences, and perhaps we should also be grateful that 
we have learned so much about the weaknesses in our systems’ defenses, but I think we should share our grateful- 
ness with someone other than the worm’s author. 

Was the worm malicious? Some people have suggested that the worm was an innocent experiment that got 
out of hand, and that it was never intended to spread so fast or so widely. We can find evidence in the worm to sup- 
port and to contradict this hypothesis. There are a number of bugs in the worm that appear to be the result of hasty 
or programming. For example, in the worm’s if_init() routine, there is a call to the block zero function 

bzeroQ that incorrectly uses the block itself rather than the block’s address as an argument. It’s also possible that a 
bug was responsible for the ineffectiveness of the population control measures used by the worm. This could be 
seen as evidence that a development version of the worm “got loose” accidentally, and perhaps the author origi- 
nally intended to test the final version under controlled conditions, in an environment from which it would not 
escape. On the other hand, there is considerable evidence that the worm was designed to reproduce quickly and 
spread itself over great distances. It can be argued that the population control hacks in the worm are anemic by 
design: they are a compromise between spreading the worm as quickly as possible and raising the load enough to be 
detected and defeated. A worm will exist for a substantial amount of time and will perform a substantial amount of 
work even if it loses the roll of the (imaginary) dice; moreover, 1 in 7 worms become immortal and can’t be killed 
by dice rolls. There is ample evidence that the worm was designed to hamper efforts to stop it even after it was 
identified and captured. It certainly succeeded in this, since it took almost a day before the last mode of infection 
(the finger server) was identified, analyzed and reported widely; the worm was very successful in propagating itself 
during this time even on systems which had fixed the sendmail debug problem and had turned off rexec. Finally, 
there is evidence that the worm’s author deliberately introduced the worm to a foreign site that was left open and 
welcome to casual outside users, rather ungraciously abusing this hospitality. He apparently further abused this trust 
by deleting a log file that might have revealed information that could link his home site with the infection. I think 
the innocence lies in the research community rather than with the worm’s author. 

Will publication of worm details further harm security? In a sense, the worm itself has solved that problem: it 
has published itself by sending copies to hundreds or thousands of machines around the world. Of course a bad guy 
who wants to use the worm’s tricks would have to go through the same effort that we went through in order to 
understand the program, but then it only took us a week to completely decompile the program, so while it takes for- 
titude to hack the worm, it clearly is not greatly difficult for a decent programmer. One of the worm’s most effec- 
tive tricks was advertised when it entered — the bulk of the sendmail hack is visible in the log file, and a few 
minutes’ work with the sources will reveal the rest of the trick. The worm’s fast password algorithm could be useful 
to the bad guys, but at least two other faster implementations have been available for a year or more, so it isn’t very 
secret, or even very original. Finally, the details of the worm have been well enough sketched out on various 
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newsgroups and mailing lists that the principal hacks are common knowledge. I think it’s more important that we 
understand what happened, so that we can make it less likely to happen again, than that we spend time in a futile 
effort to cover up the issue from everyone but the bad guys. Fixes for both source and binary distributions are 
widely available, and anyone who runs a system with these vulnerabilities needs to look into these fixes immedi- 
ately, if they haven’t done so already. 

6. Conclusion 

It has raised the public awareness to a considerable degree. [R H Morris, quoted in the New York Times 1 1/5/88] 

This quote is one of the understatements of the year. The worm story was on the front page of the New York 
Times and other newspapers for days. It was the subject of television and radio features. Even the Bloom County 
comic strip poked fun at it. 

Our community has never before been in the limelight in this way, and judging by the response, it has scared 
us. I won’t offer any fancy platitudes about how the experience is going to change us, but I will say that I think 
these issues have been ignored for much longer than was safe, and I feel that a better understanding of the crisis just 
past will help us cope better with the next one. Let’s hope we’re as lucky next time as we were this time. 
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